strawberry: updated to 1.2.20
1.2.20 (2026.06.21):
Bugfixes:
* Defer writing playcount and rating tags for the currently playing MP3 file to prevent playback issues
* Fixed volume being reset during gapless playback when the sample rate changes between tracks
* Prevent duplicate songs with identical URL
* Fixed album shuffle to use the effective album artist
* Fixed collection watcher skipping symlinked directories
* Fixed collection subdirectory path handling when renaming directories
* Fixed songlyrics.com, elyrics.net and letras lyrics parsing
* Fixed SPC (GME) file parsing
* Fixed Tidal session not being cleared on authentication errors
* Fixed global shortcuts to use the first backend that registers successfully
* Prefer the volume UUID when identifying removable devices
* Save settings when the session manager requests a commit
* Set StartupWMClass in the desktop file to org.strawberrymusicplayer.strawberry
* Fixed two tabs closed when middle clicking on a playlist tab
[16 lines not shown]
pugixml: updated to 1.16
1.16
Add xml_node::ensure_child and xml_node::ensure_attribute that return the child/attribute with the specified name, adding one if it does not exist
PUGIXML_CHARCONV_FLOAT option can be enabled to switch floating point conversions to <charconv>, making conversions locale-independent and improving performance
Several performance improvements (XPath queries, node/attribute lookup) and bug fixes (remove_child stack overflow, load_file integer overflow on 32-bit systems)
py-dulwich: updated to 1.2.6
1.2.6 2026-05-31
* SECURITY: Honor ``core.protectNTFS``/``core.protectHFS`` on all
work-tree updates. The 1.2.5 path hardening (CVE-2026-42305) only
reached ``checkout`` and ``reset``; ``update_working_tree`` (used by
``merge``, ``pull`` and others) fell back to the default validator, so
a crafted branch could still check out an NTFS-unsafe name such as
``git~2`` even with ``core.protectNTFS=true``.
(Jelmer Vernooij; reported by donovan-jasper)
* SECURITY: Reject patch target paths that escape the work tree in
``apply_patches``. Patch headers are untrusted (e.g. ``git am`` of a
mailbox), so a ``+++``/rename path such as ``../../etc/cron.d/x`` or an
absolute path was joined onto the repo path and written outside the
working tree. Such paths are now refused.
(netliomax25-code)
[11 lines not shown]
py-ruff: updated to 0.15.18
0.15.18
Preview features
Handle nested ruff:ignore comments
Stop displaying severity in output
Use human-readable names in CLI output
Use human-readable names in LSP and playground diagnostics
[pydocstyle] Prevent property docstrings starting with verbs (D421)
[flake8-pyi] Extend PYI033 to Python files
Bug fixes
Detect equivalent numeric mapping keys
Detect mapping keys equivalent to booleans
Detect repeated signed and complex dictionary keys
[35 lines not shown]
catch2: updated to 3.15.1
3.15.1
Fixes
* Fixed potential OOB access when looking for start of broken UTF-8 sequence during linebreaking
* Fixed `TEMPLATE_LIST_TEST_CASE_METHOD` and `CATCH_TEMPLATE_PRODUCT_TEST_CASE` potentially causing ODR violations
ansible-core: updated to 2.21.1
v2.21.1
Security Fixes
- ansible-galaxy install - Ensure role requirements are passed as positional arguments to :command:`git clone`. Previously, a malicious role author could inject arbitrary git configuration in role dependencies. (CVE-2026-11332)
- psrp - Do not log raw stdout/stderr on verbosity 5 when task has ``no_log: true`` set
- winrm - Do not log raw stdout/stderr on verbosity 5 when task has ``no_log: true`` set
Bugfixes
- cli - handle empty value for PAGER (https://github.com/ansible/ansible/issues/86898).
- config - use correct key value for inject_invocation setting (https://github.com/ansible/ansible/issues/86999).
- free strategy - Fix ``IndexError`` when hosts become unreachable during playbook execution (https://github.com/ansible/ansible/issues/87027).
- meta pseudo-action - Fixed callback args passed to ``v2_runner_on_skipped`` when any ``meta`` action was skipped by a ``when`` condition; added test coverage. A previous regression caused the callback dispatch to be omitted and a warning issued.
- module_utils sanitize_keys and remove_value functions now sort their input to ensure matching subsets are always obscured.
- module_utils/basic.py - Fix ``AnsibleModule.run_command()`` to handle ``None`` return from non-blocking pipe reads (https://github.com/ansible/ansible/issues/86920).
- wait_for - use ``errno.ENOENT`` symbolic constant instead of hardcoded value for improved code portability.
mail/offlineimap3: import offlineimap3-8.0.2
Packaged for wip by J. Lewis Muir, William Brawner, and myself.
OfflineIMAP is a tool to simplify your e-mail reading. It synchronizes
remote IMAP folders and local Maildir folders. It is fast flexible
and safe. It is also useful if you want to use a mail reader that
does not have IMAP support, has poor IMAP support, or does not
provide disconnected operation.
mail/py-imaplib2: import py-imaplib2-3.6
imaplib2 is a threaded Python IMAP4 client.
Based on RFC 3501 and original imaplib module.
This is a version of imaplib that uses threads to allow full use of the
IMAP4 concurrency features, and to de-couple a user of imaplib from i/o
lags, except where explicitly allowed.
py-zeep: updated to 4.3.3
4.3.3
- Wire up the ``forbid_external`` setting (previously defined but unused
since the move off ``defusedxml`` in 4.0). When enabled it refuses to
transitively fetch ``http``/``https`` resources via ``xsd:import``,
``xsd:include``, ``wsdl:import`` or lxml entity resolution, raising
``zeep.exceptions.ExternalReferenceForbidden``. The user-supplied
entry-point WSDL/schema URL is still loaded. The default remains
``False`` to preserve existing behaviour; enable when loading WSDLs from
untrusted sources to mitigate SSRF via attacker-controlled import
targets.
- Internal tooling only: migrate dependency/build management to uv and
replace isort/flake8/black with ruff. No runtime changes.
QXlsx: updated to 1.5.1.1
1.5.1.1
Fix CMake shared library path and update GitHub Actions for Node.js
1.5.1
Revert std::lround usage
Fix Qt6.10 build due nodiscard in QTemporaryFile::open()
Search for GuiPrivate package with Qt 6.10
Add Chinese documentation
WorksheetPrivate: Remove unused q variable
Fix implicit size_t -> int conversions
Make qHash compatible with Qt6 signature
Fix: date1904 handling and 13 related style/workbook issues
Add an ExcelViewer example.
If there is no ht, then the property of customHeight is false
LargeData example
Add ExcelTableEditor example
add function to append new col/row
[14 lines not shown]
cmake cmake-gui: updated to 4.3.4
4.3.4
cmake-instrumentation(7), introduced in 4.3.0, has been changed to generate
index files and snippet files with a new version field format. It is now an
object with major and minor version components, { "major": 1, "minor": 0 }.
Previously it was an integer with only the major version, 1.
